| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Apr 02, 2026, 17:04:58 | Entries count: 111 | |||
|
Billplz Addon for Contact Form 7
vulnerable
|
Aug 16, 2025, 21:08:21 |
Min -
Max 1.2.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alvind Billplz Addon for Contact Form 7 allows Reflected XSS. This issue affects Billplz Addon for Contact Form 7: from n/a through 1.2.0. | |
|
Connect Contact Form 7 to Constant Contact
vulnerable
|
Dec 14, 2024, 23:12:25 |
Min -
Max 1.4
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Connect Contact Form 7 to Constant Contact allows Reflected XSS.This issue affects Connect Contact Form 7 to Constant Contact: from n/a through 1.4. | |
|
Coinbase Commerce for Contact Form 7
vulnerable
|
Jun 06, 2024, 23:06:27 |
Min -
Max 1.1.2
|
Coinbase Commerce for Contact Form 7 [coinbase-commerce-for-contact-form-7] < 1.1.2 WordPress Coinbase Commerce for Contact Form 7 Plugin <= 1.1.1 is vulnerable to Cross Site Scripting (XSS) Update the WordPress Coinbase Commerce for Contact Form 7 plugin to the latest available version (at least 1.1.2). Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Coinbase Commerce for Contact Form 7 Plugin. This could allow a malicious actor to inject... | |
|
Contact Form 7 Round Robin Lead Distribution
vulnerable
|
Jan 24, 2025, 20:01:19 |
Min -
Max 1.2.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows Reflected XSS. This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through 1.2.1. | |
|
Contact Form 7 Round Robin Lead Distribution
vulnerable
|
Jan 21, 2025, 16:01:40 |
Min -
Max 1.2.1
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows SQL Injection. This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through 1.2.1. | |
|
vulnerable
|
Jan 18, 2025, 16:01:46 |
Min -
Max 1.0.1
|
Missing Authorization vulnerability in SzMake Contact Form 7 Anti Spambot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form 7 Anti Spambot: from n/a through 1.0.1. | |
|
Accept Authorize.NET Payments Using Contact Form 7
vulnerable
|
Dec 19, 2024, 15:12:30 |
Min -
Max 2.3
|
The Accept Authorize.NET Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2 via the cf7adn-info.php file. This makes it possible for unauthenticated attackers to extract configuration data which can be used to aid in other attacks. | |
|
Accept Authorize.NET Payments Using Contact Form 7
vulnerable
|
Jul 01, 2025, 13:07:31 |
Min -
Max 2.5
|
Insertion of Sensitive Information Into Sent Data vulnerability in ZealousWeb Accept Authorize.NET Payments Using Contact Form 7 allows Retrieve Embedded Sensitive Data. This issue affects Accept Authorize.NET Payments Using Contact Form 7: from n/a through 2.5. | |
|
Accept Stripe Payments Using Contact Form 7
vulnerable
|
Dec 13, 2024, 16:12:25 |
Min -
Max 2.6
|
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack. | |
|
Accept Stripe Payments Using Contact Form 7
vulnerable
|
Jul 03, 2025, 17:07:41 |
Min -
Max 3.0
|
Insertion of Sensitive Information Into Sent Data vulnerability in ZealousWeb Accept Stripe Payments Using Contact Form 7 allows Retrieve Embedded Sensitive Data. This issue affects Accept Stripe Payments Using Contact Form 7: from n/a through 3.0. | |
|
Accept Stripe Payments Using Contact Form 7
vulnerable
|
Jan 10, 2026, 05:01:12 |
Min -
Max 3.1
|
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |
|
Add-on SweetAlert Contact Form 7
vulnerable
|
Jun 07, 2024, 06:06:49 |
Min -
Max 1.0.8
|
Add-on SweetAlert Contact Form 7 [addon-sweetalert-contact-form-7] < 1.0.8 WordPress Add-on SweetAlert Contact Form 7 plugin <= 1.0.7 - Authenticated Cross-Site Scripting (XSS) vulnerability Authenticated Cross-Site Scripting (XSS) vulnerability discovered by Juan M. in WordPress Add-on SweetAlert Contact Form 7 plugin (versions <= 1.0.7). | |
|
Contact Form 7 – Clockwork SMS
vulnerable
|
Jun 06, 2024, 21:06:01 |
Min -
Max 2.4.0
|
The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS. | |
|
Contact Form 7 – Clockwork SMS
vulnerable
|
Jun 06, 2024, 21:06:01 |
Min -
Max 2.4.1
|
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and... | |
|
vulnerable
|
Jun 29, 2025, 03:06:54 |
Min -
Max 2.0
|
Missing Authorization vulnerability in ZealousWeb Abandoned Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Abandoned Contact Form 7: from n/a through 2.0. | |
|
Live Drag and Drop Builder for Contact Form 7
vulnerable
|
Jun 06, 2024, 21:06:24 |
Min -
Max 1.2.4
|
Live Drag and Drop Builder for Contact Form 7 [drag-and-drop-form-builder-for-contact-form-7] < 1.2.4 WordPress Live Drag and Drop Builder for Contact Form 7 plugin <= 1.2.3 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Live Drag and Drop Builder for Contact Form 7 plugin (versions <= 1.2.3). | |
|
Live Drag and Drop Builder for Contact Form 7
vulnerable
|
Nov 16, 2024, 11:11:05 |
Min -
Max 1.2.4
|
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. | |
|
vulnerable
|
Apr 06, 2025, 17:04:27 |
Min -
Max 1.0.4
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cmsMinds Pay with Contact Form 7 allows SQL Injection. This issue affects Pay with Contact Form 7: from n/a through 1.0.4. | |
|
vulnerable
|
Jun 15, 2025, 07:06:14 |
Min -
Max 1.0.4
|
Cross-Site Request Forgery (CSRF) vulnerability in cmsMinds Pay with Contact Form 7 allows Cross Site Request Forgery. This issue affects Pay with Contact Form 7: from n/a through 1.0.4. | |
|
vulnerable
|
Jul 18, 2025, 22:07:42 |
Min -
Max 1.0.4
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmsMinds Pay with Contact Form 7 allows Reflected XSS. This issue affects Pay with Contact Form 7: from n/a through 1.0.4. | |
|
Rate limiting for Contact Form 7
vulnerable
|
Jun 06, 2024, 23:06:48 |
Min -
Max 1.0.4
|
Rate limiting for Contact Form 7 [rate-limiting-for-contact-form-7] < 1.0.4 WordPress Rate limiting for Contact Form 7 plugin < 1.0.4 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Rate limiting for Contact Form 7 plugin (versions < 1.0.4). | |
|
Contact Form – 7 : Hide Success Message
vulnerable
|
Jul 04, 2025, 04:07:14 |
Min -
Max 1.1.4
|
Missing Authorization vulnerability in Rohil Contact Form – 7 : Hide Success Message allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Contact Form – 7 : Hide Success Message: from n/a through 1.1.4. | |
|
vulnerable
|
Jan 10, 2026, 03:01:47 |
Min -
Max 1.1.0
|
The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_h... | |
|
User Registration Using Contact Form 7
vulnerable
|
Jan 28, 2026, 03:01:31 |
Min -
Max 2.6
|
The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets. | |
|
User Registration Using Contact Form 7
vulnerable
|
Apr 11, 2025, 19:04:10 |
Min -
Max 2.2
|
Cross-Site Request Forgery (CSRF) vulnerability in ZealousWeb User Registration Using Contact Form 7 allows Cross Site Request Forgery. This issue affects User Registration Using Contact Form 7: from n/a through 2.2. | |
|
Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms
vulnerable
|
Jul 21, 2025, 08:07:27 |
Min -
Max 1.1.2
|
The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a den... | |
|
Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms
vulnerable
|
Apr 02, 2025, 14:04:13 |
Min -
Max 1.1.0
|
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms allows Cross Site Request Forgery. This issue affects Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.0.9. | |
|
Integration of Zoho CRM and Contact Form 7
vulnerable
|
Apr 03, 2025, 06:04:41 |
Min -
Max 1.0.6
|
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in formsintegrations Integration of Zoho CRM and Contact Form 7 allows Phishing. This issue affects Integration of Zoho CRM and Contact Form 7: from n/a through 1.0.6. | |
|
Track Geolocation Of Users Using Contact Form 7
vulnerable
|
Jun 07, 2024, 01:06:42 |
Min -
Max 2.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZealousWeb Track Geolocation Of Users Using Contact Form 7 allows Stored XSS.This issue affects Track Geolocation Of Users Using Contact Form 7: from n/a through 2.0. | |
|
Contact Form 7 Select Box Editor Button
vulnerable
|
Mar 13, 2025, 15:03:47 |
Min -
Max 0.6
|
Cross-Site Request Forgery (CSRF) vulnerability in Benjamin Pick Contact Form 7 Select Box Editor Button allows Cross Site Request Forgery. This issue affects Contact Form 7 Select Box Editor Button: from n/a through 0.6. | |
|
Contact Form 7 AWeber Extension
vulnerable
|
Jul 02, 2025, 23:07:11 |
Min -
Max 0.1.38
|
Missing Authorization vulnerability in Renzo Contact Form 7 AWeber Extension allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form 7 AWeber Extension: from n/a through 0.1.38. | |
|
Contact Form 7 AWeber Extension
vulnerable
|
Dec 11, 2025, 09:12:51 |
Min -
Max 0.1.43
|
The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs. | |
|
Contact Form 7 Multi-Step Addon
vulnerable
|
Jul 23, 2024, 01:07:40 |
Min 1.0.4
Max 1.0.5
|
Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan. | |
|
Contact Form 7 Multi-Step Addon
vulnerable
|
Jun 26, 2024, 14:06:02 |
Min 1.0.4
Max 1.0.5
|
Contact Form Multi-Step Addon [contact-form-7-multi-step-addon] >= 1.0.4 - <= 1.0.5 Several WordPress.org Plugins <= Various Versions - Injected Backdoor Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. All plugins h... | |
|
Contact Form 7 Star Rating with font Awesome
vulnerable
|
Feb 26, 2025, 12:02:12 |
Min -
Max 1.3
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating with font Awesome allows Stored XSS. This issue affects Contact Form 7 Star Rating with font Awesome: from n/a through 1.3. | |
|
vulnerable
|
Feb 26, 2025, 22:02:30 |
Min -
Max 1.10
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelogger Contact Form 7 Star Rating allows Stored XSS. This issue affects Contact Form 7 Star Rating: from n/a through 1.10. | |
|
Dynamic Text Field For Contact Form 7
vulnerable
|
Sep 10, 2025, 13:09:59 |
Min -
Max 1.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silverplugins217 Dynamic Text Field For Contact Form 7 allows Stored XSS. This issue affects Dynamic Text Field For Contact Form 7: from n/a through 1.0. | |
|
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
vulnerable
|
Jun 07, 2024, 07:06:30 |
Min -
Max 1.1.1
|
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms [integration-for-contact-form-7-and-pipedrive] < 1.1.1 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plu... | |
|
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
vulnerable
|
Jun 07, 2024, 07:06:30 |
Min -
Max 1.2.1
|
Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.0. | |
|
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms
vulnerable
|
Jul 21, 2025, 17:07:35 |
Min -
Max 1.2.4
|
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial ... | |
|
Autocomplete Location field Contact Form 7
vulnerable
|
Jun 06, 2024, 21:06:49 |
Min -
Max 3.0
|
The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |
|
Contact Form 7 GetResponse Extension
vulnerable
|
Jan 28, 2026, 04:01:52 |
Min -
Max 1.0.8
|
Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8. | |
|
vulnerable
|
Jun 07, 2024, 08:06:46 |
Min -
Max 2.2
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Katz Web Services, Inc. Contact Form 7 Newsletter allows Reflected XSS.This issue affects Contact Form 7 Newsletter: from n/a through 2.2. | |
|
vulnerable
|
Dec 13, 2024, 18:12:58 |
Min -
Max 1.0
|
The Custom Skins Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf7cs_action_callback' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the content of any post and create new skins. | |
|
Contact Form 7 Campaign Monitor Extension
vulnerable
|
Sep 28, 2024, 11:09:55 |
Min -
Max 0.4.67
|
Missing Authorization vulnerability in Renzo Johnson Contact Form 7 Campaign Monitor Extension allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Contact Form 7 Campaign Monitor Extension: from n/a through 0.4.67. | |
|
Contact Form 7 IE DatePicker and Number Spinner Fix
vulnerable
|
Jun 07, 2024, 03:06:31 |
Min -
Max 2.6.0
|
Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wp_ajax_cf7dp_save_settings AJAX action and the ui_theme parameter. If an administrator creates or modifies a contact form, the JavaScript will be executed in their browser, which can then be used to create new administrative users or perform other actions using the administrator's session. | |
|
Frontend Registration – Contact Form 7
vulnerable
|
Jun 06, 2024, 23:06:12 |
Min -
Max 5.1
|
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings. | |
|
Generate PDF using Contact Form 7
vulnerable
|
Jul 10, 2024, 10:07:03 |
Min -
Max 4.1.3
|
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and missing file type validation in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator ... | |
|
Generate PDF using Contact Form 7
vulnerable
|
Jul 10, 2024, 10:07:03 |
Min -
Max 4.1.3
|
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possi... | |
|
Generate PDF using Contact Form 7
vulnerable
|
Jul 23, 2024, 02:07:23 |
Min -
Max 4.0.6
|
Unrestricted Upload of File with Dangerous Type vulnerability in ZealousWeb Generate PDF using Contact Form 7.This issue affects Generate PDF using Contact Form 7: from n/a through 4.0.6. | |
|
Generate PDF using Contact Form 7
vulnerable
|
Jun 07, 2024, 01:06:54 |
Min -
Max 3.6
|
The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |
|
Captcha/Honeypot (CF7, Avada, Elementor, Comments, WPForms) – GDPR ready
vulnerable
|
Jun 07, 2024, 03:06:19 |
Min -
Max 1.11.4
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3. | |
|
WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup
vulnerable
|
Nov 20, 2024, 01:11:23 |
Min -
Max 1.7.6
|
The The WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup plugin for WordPress is vulnerable to arbitrary shortcode execution via wpb_pcf_fire_contact_form AJAX action in all versions up to, and including, 1.7.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |
|
vulnerable
|
Jul 08, 2025, 14:07:41 |
Min -
Max 1.2.0
|
Cross-Site Request Forgery (CSRF) vulnerability in Brian S. Reed Contact Form 7 reCAPTCHA allows Cross Site Request Forgery. This issue affects Contact Form 7 reCAPTCHA: from n/a through 1.2.0. | |
|
Multiline files upload for contact form 7
vulnerable
|
Oct 17, 2024, 04:10:38 |
Min -
Max 2.9
|
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site. | |
|
Spam Protect for Contact Form 7
vulnerable
|
Mar 29, 2026, 13:03:19 |
Min -
Max 1.2.9
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through <= 1.2.9. | |
|
vulnerable
|
Jun 06, 2024, 23:06:25 |
Min -
Max 1.0.2.4
|
The Send PDF for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of form submissions due to a missing capability check on the hooks function in all versions up to, and including, 1.0.2.3. This makes it possible for unauthenticated attackers to download information about contact form entries with PDFs. | |
|
vulnerable
|
Jun 06, 2024, 23:06:25 |
Min -
Max 0.9.2
|
Send PDF for Contact Form 7 [send-pdf-for-contact-form-7] < 0.9.2 (closed) Send PDF for Contact Form 7 <= 0.9.1 - Multiple Cross-Site Scripting The Send PDF for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping on multiple parameters. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. | |
|
vulnerable
|
Jun 06, 2024, 23:06:25 |
Min -
Max 0.9.9.2
|
The Send PDF for Contact Form 7 WordPress plugin before 0.9.9.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | |
|
Contact Form 7 – PayPal & Stripe Add-on
vulnerable
|
Oct 12, 2024, 13:10:31 |
Min -
Max 2.3.1
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Reflected XSS.This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.3. | |
|
Contact Form 7 – PayPal & Stripe Add-on
vulnerable
|
May 09, 2025, 08:05:37 |
Min -
Max 2.4.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Stored XSS. This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.3.4. | |
|
Contact Form 7 – PayPal & Stripe Add-on
vulnerable
|
Nov 10, 2024, 23:11:10 |
Min -
Max 2.3.2
|
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is prese... | |
|
Contact Form 7 – PayPal & Stripe Add-on
vulnerable
|
Jun 07, 2024, 00:06:18 |
Min -
Max 2.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Reflected XSS.This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.0. | |
|
Contact Form 7 – PayPal & Stripe Add-on
vulnerable
|
Jun 07, 2024, 00:06:18 |
Min -
Max 1.9.4
|
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3 versions. | |
|
Contact Form 7 – PayPal & Stripe Add-on
vulnerable
|
Jun 07, 2024, 00:06:18 |
Min -
Max 2.2
|
The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site admi... | |
|
Jquery Validation For Contact Form 7
vulnerable
|
Jun 07, 2024, 03:06:34 |
Min -
Max 5.3
|
The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack | |
|
vulnerable
|
Jun 06, 2024, 22:06:18 |
Min -
Max 2.5.1
|
The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | |
|
Contact Form 7 Multi-Step Forms
vulnerable
|
Jun 07, 2024, 03:06:39 |
Min -
Max 3.0.9
|
Contact Form 7 Multi-Step Forms [contact-form-7-multi-step-module] < 3.0.9 WordPress Contact Form 7 Multi-Step Forms plugin < 4.1.91 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Contact Form 7 Multi-Step Forms plugin (versions < 4.1.91). | |
|
Contact Form 7 Multi-Step Forms
vulnerable
|
Nov 15, 2024, 04:11:21 |
Min -
Max 4.1.91
|
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.1.24
|
Unauth. SQL Injection (SQLi) vulnerability in Themefic Ultimate Addons for Contact Form 7 plugin <= 3.1.23 versions. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.1.24
|
The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.1.24
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Ultimate Addons for Contact Form 7.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.1.23. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Mar 29, 2026, 15:03:16 |
Min -
Max 3.5.36
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.36. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.2.1
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themefic Ultimate Addons for Contact Form 7 plugin <= 3.2.0 versions. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Dec 22, 2025, 10:12:43 |
Min -
Max 3.5.34
|
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default). | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.1.29
|
The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.1.29
|
The Ultimate Addons for Contact Form 7 WordPress plugin before 3.1.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 07, 2024, 02:06:40 |
Min -
Max 3.2.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Stored XSS.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.0. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 19, 2025, 23:06:46 |
Min -
Max 3.5.13
|
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jul 02, 2025, 21:07:17 |
Min -
Max 3.5.22
|
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and including, 3.5.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jul 02, 2025, 21:07:17 |
Min -
Max 3.5.20
|
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possi... | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Jun 10, 2024, 12:06:27 |
Min -
Max 3.2.11
|
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.6. | |
|
Ultimate Addons for Contact Form 7
vulnerable
|
Feb 27, 2026, 10:02:54 |
Min -
Max 3.5.34
|
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 18, 2025, 02:06:28 |
Min -
Max 1.3.9.0
|
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularl... | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Aug 16, 2025, 23:08:21 |
Min -
Max 1.3.9.1
|
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jan 28, 2026, 04:01:10 |
Min -
Max 1.3.9.3
|
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configu... | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jan 28, 2026, 04:01:10 |
Min -
Max 1.3.9.3
|
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated attackers to delete arbitrary uploaded files when the "Send attachments as links" setting is enabled. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 07, 2024, 00:06:16 |
Min -
Max 1.3.7.8
|
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads/wp_dndcf7_uploads/wpcf7-files' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 07, 2024, 00:06:16 |
Min -
Max 1.3.3.3
|
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 07, 2024, 00:06:16 |
Min -
Max 1.3.5.5
|
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 07, 2024, 00:06:16 |
Min -
Max 1.3.5.5
|
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 07, 2024, 00:06:16 |
Min -
Max 1.3.6.6
|
Cross-Site Request Forgery (CSRF) vulnerability in Glen Don L. Mongaya Drag and Drop Multiple File Upload – Contact Form 7 plugin <= 1.3.6.5 versions. | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Jun 07, 2024, 00:06:16 |
Min -
Max 1.3.7.4
|
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple ... | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Apr 02, 2025, 14:04:22 |
Min -
Max 1.3.8.8
|
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. I... | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Apr 02, 2025, 14:04:22 |
Min -
Max 1.3.8.8
|
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vuln... | |
|
Drag and Drop Multiple File Upload – Contact Form 7
vulnerable
|
Feb 01, 2025, 13:02:51 |
Min -
Max 1.3.8.6
|
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible. | |
|
vulnerable
|
Jun 06, 2024, 23:06:18 |
Min -
Max 0.1.2
|
The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |
|
vulnerable
|
Jun 06, 2024, 23:06:18 |
Min -
Max 0.0.9
|
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. | |
|
Contact Form 7 – Dynamic Text Extension
vulnerable
|
Jun 07, 2024, 08:06:42 |
Min -
Max 3.0.0
|
Contact Form 7 – Dynamic Text Extension [contact-form-7-dynamic-text-extension] < 3.0.0 (closed) WordPress Contact Form 7 Dynamic Text Extension plugin <= 2.0.2.1 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross-Site Scripting (XSS) vulnerability found in WordPress Contact Form 7 Dynamic Text Extension plugin (versions <= 2.0.2.1). | |
|
Contact Form 7 – Dynamic Text Extension
vulnerable
|
Jun 07, 2024, 08:06:42 |
Min -
Max 4.2.0
|
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key. | |
|
Contact Form 7 – Dynamic Text Extension
vulnerable
|
Nov 07, 2024, 01:11:20 |
Min -
Max 4.5.1
|
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts, they do not own. | |
|
Contact Form 7 – Dynamic Text Extension
vulnerable
|
Jan 09, 2026, 10:01:33 |
Min -
Max 5.0.3
|
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in sevenspark Contact Form 7 Dynamic Text Extension contact-form-7-dynamic-text-extension allows Code Injection.This issue affects Contact Form 7 Dynamic Text Extension: from n/a through <= 5.0.3. | |
|
Contact Form 7 – Dynamic Text Extension
vulnerable
|
Dec 23, 2024, 00:12:41 |
Min -
Max 5.0.2
|
Cross-Site Request Forgery (CSRF) vulnerability in AuRise Creative, SevenSpark Contact Form 7 Dynamic Text Extension allows Cross Site Request Forgery.This issue affects Contact Form 7 Dynamic Text Extension: from n/a through 5.0.1. | |
|
vulnerable
|
Apr 16, 2025, 16:04:41 |
Min -
Max 6.0.6
|
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling eac... | |
|
vulnerable
|
Jun 07, 2024, 01:06:50 |
Min -
Max 5.0.4
|
Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter. | |
|
vulnerable
|
Jun 07, 2024, 01:06:50 |
Min -
Max 5.0.4
|
The contact-form-7 plugin before 5.0.4 for WordPress has privilege escalation because of capability_type mishandling in register_post_type. | |
|
vulnerable
|
Jun 07, 2024, 01:06:50 |
Min -
Max 5.9.2
|
The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |
|
vulnerable
|
Jun 07, 2024, 01:06:50 |
Min -
Max 5.8.4
|
The Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'validate' function and insufficient blocklisting on the 'wpcf7_antiscript_file_name' function in versions up to, and including, 5.8.3. This makes it possible for authenticated attackers with editor-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed in most cases. By default, the... | |
|
vulnerable
|
Jun 07, 2024, 01:06:50 |
Min -
Max 5.3.2
|
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File Upload and remote code execution because a filename may contain special characters. | |
|
SAFE & CERTIFIED
|
Jul 24, 2024, 15:07:39 |
Min 6.1.5
Max 6.1.5
|
Contact Form 7 plugin, one of the most popular contact form plugins for WordPress, has reached a new milestone in security. The latest version, 6.1.4, has successfully passed the Plugin Security Certification (PSC) conducted by CleanTalk, ensuring that users can enjoy enhanced security features along with the plugin’s robust functionality. | |
|
vulnerable
|
Jun 29, 2024, 04:06:41 |
Min -
Max 5.9.5
|
The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. | |